AI Act: Only 8 Member States Out of 27 Are Ready - What This Really Means for Your Compliance

By August 2, 2025, all EU member states should have designated their national competent authorities to apply the AI Act - their single point of contact, their market surveillance authority, their notifying authority. Legal deadline, clear obligation, published text. Result: only 8 member states out of 27 met that deadline. This figure, surfaced during the Digital Omnibus debates in the European Parliament, speaks volumes about the actual state of European readiness for its own AI regulation.

For businesses, the immediate question is legitimate: if the states themselves aren't ready, do I need to be? The answer is unambiguous: yes.

What Article 70 Requires From Member States

Article 70 of Regulation (EU) 2024/1689 is explicit. By August 2, 2025, each member state was required to:

• Designate at least one market surveillance authority, responsible for verifying the compliance of AI systems deployed on its territory
• Designate at least one notifying authority, responsible for accrediting certification bodies for high-risk systems
• Notify the Commission of its single point of contact (SPC) to centralise exchanges
• Make the contact details of these authorities publicly available electronically

These authorities play a central role: they are the enforcement arm of the AI Act on the ground. They will conduct investigations, order compliance measures, impose fines and coordinate with the EU AI Office at European level. Without them, the regulation remains an obligation with no national enforcement body.

Who Has Acted - and Who Is Behind

Among the states that have advanced their designation processes, a few notable examples:

France

France opted for a coordinated multi-authority model. The DGCCRF acts as the single point of contact. Several sectoral regulators are involved: the CNIL for personal data aspects, ANSSI for cybersecurity, ARCOM for digital content, and the HAS for AI-integrated medical devices.

Germany

Germany designated the Bundesnetzagentur (Federal Network Agency) as market surveillance authority and the Deutsche Akkreditierungsstelle as notifying authority. The country went further by adopting the KI-MIG draft law in the federal cabinet in February 2026 - the first national transposition framework.

Spain

Spain made a structural choice by creating a dedicated agency: AESIA (Spanish AI Supervisory Agency), working in coordination with the AEPD (data protection), the Bank of Spain and the CNMV.

Ireland

Ireland opted for a decentralised model with fifteen designated competent authorities, coordinated by the National AI Office operational since September 2025.

These countries are the exception. Most of the 27 member states have no formally operational framework yet - creating an unprecedented situation with fewer than five months to the deadline.

Why This Delay - and Why It Strengthens the Digital Omnibus Logic

This delay is not incidental. It is structural and reveals three simultaneous problems:

• Lack of harmonised standards: without CEN-CENELEC technical standards, national authorities don't know the precise criteria against which to assess high-risk system compliance. Designating an authority without giving it the tools to work is largely ineffective.
• Lack of resources and expertise: the AI Act requires authorities to have competence in AI, data protection, cybersecurity and law. This rare profile is difficult to recruit in the public sector.
• Organisational complexity: some member states - particularly those with federal or highly decentralised structures - struggle to determine which existing authority to repurpose, or whether a new structure is needed.

This context directly reinforces the European Commission's argument for the Digital Omnibus: how do you seriously enforce a regulation if the authorities supposed to do so are not operational? This is one of the central arguments justifying the proposed delay of high-risk obligations to December 2027.

This is not a sign of regulatory weakness - it is a sign of realism. The AI Act is a regulation of unprecedented complexity. Giving it the tools to function properly is better than applying it too quickly and poorly.

What This Concretely Changes for Your Business

Many compliance managers are asking the direct question: if the state isn't ready to control, can I slow down?

The legal answer is no, for three reasons:

1. The AI Act is a directly applicable EU regulation

Unlike a directive requiring national transposition, an EU regulation applies directly in all member states without an intermediary law. The fact that a state has not yet designated its national authority does not suspend your legal obligations. You are subject to the AI Act now.

2. The AI Office can partially substitute for national authorities

The Digital Omnibus specifically strengthens the role of the AI Office as the central authority. For GPAI models and systems integrated into very large platforms, the AI Office will have direct investigation and sanction powers, independently of national authorities. Supervision doesn't disappear in the absence of national authorities - it centralises.

3. Your contractual liability to clients already exists

Beyond regulatory sanctions, your clients - especially large groups and public bodies - are starting to integrate AI Act compliance into their procurement processes and contracts. Non-compliance carries commercial risks that don't wait for national authorities to become operational.

What You Should Do Despite This Context

1. Identify your national competent authority by sector: if your country has already designated its authorities, identify which one will be competent for your systems. In France, depending on your sector, this will be the CNIL, HAS, ARCOM or DGCCRF. Establishing early contact is an advantage.
2. Document your good-faith approach: in the event of an audit during the first months of enforcement - often more tolerant on form than substance - showing a dated AI system inventory, risk classification and compliance plan is concrete protection.
3. Don't wait for authorities to move forward: classifying your systems under Annex III, documenting your human oversight, updating your legal notices for Article 50 - none of these steps depend on a national authority being operational.
4. Monitor designations in your member state: announcements come as weeks pass. The Commission publishes the list of single points of contact as they are notified. Stay informed via the AiActo AI Act timeline.

The free AiActo diagnostic helps you classify your systems, identify your obligations and start structuring your documentation - without waiting for your national authority to become operational.

Frequently Asked Questions

If my member state hasn't designated its authorities yet, can I be penalised?

Legally yes - the AI Act is directly applicable. In practice, early strict enforcement will likely concentrate in states where authorities are operational. But "probably under-enforced in the short term" is not a sufficient legal basis for ignoring your obligations. Documented non-compliance remains non-compliance.

Who supervises GPAI models if national authorities aren't ready?

The AI Office at European level. GPAI obligations (Articles 51-56) have been in force since August 2025, and the AI Office has direct investigation and sanction powers over these models, independently of national authorities.

Who is the competent authority for a company in France?

In France, the DGCCRF is the single point of contact. Depending on your sector and system, the CNIL (personal data), HAS (health), ARCOM (digital content) or ACPR (finance) may be competent. For technical matters, ANSSI and PEReN provide shared expertise support to other authorities.

Does the member states' delay justify postponing my compliance work?

No. The AI Act applies directly to companies. National authority delays may temporarily reduce audit risk, but do not reduce your legal exposure or commercial risk with clients. Starting early remains the most robust strategy across all scenarios.

Does the Digital Omnibus also suspend company obligations pending authority readiness?

No. The Digital Omnibus proposes to delay application deadlines for companies - not to wait for authorities to be operational. If adopted, obligations would shift to December 2027, but this delay would apply uniformly, independent of national authority readiness.

The delay of 19 member states out of 27 sends a clear signal: the AI Act is a regulation of rare complexity that neither companies nor states fully anticipated. But this signal doesn't change the direction - it confirms the urgency of preparing seriously, using structured tools rather than waiting for institutional clarity that will take time to arrive. Check the complete AI Act timeline to follow all regulatory calendar developments.